Western Digital NAS Units Come With Hard Coded Backdoor

If you’ve got a Western Digital My Cloud, you’d best hit the software update button and install the latest firmware upgrade. Security researcher James Bercegay says over a dozen different models have a hard coded back door that lets anyone log in using a specific username/password combination.

According to the researcher, the following models are affected:

  • MyCloud
  • MyCloudMirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

Full details on the vulnerability are published at Gulftech’s website.

Bercegay says the issue arises because of “the misuse and misunderstanding of the PHP gethostbyaddr() function used within PHP, by the developer of this particular piece of code”. As a result, anyone can log in as user mydlinkBRionyg using abc12345cba as their password. That user account has admin access to the device.

Dlink had the same problem and patched the vulnerability back in 2014 but it seems WD have let this slide for quite some time. Bercegay notified WD last June with the bug going public last week.

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.


3 responses to “Western Digital NAS Units Come With Hard Coded Backdoor”

Leave a Reply